Don't forget DHCP

Dec. 28 2004

One of my first published papers was about IP renumbering. It described changing literally thousands of machines. I've since spoken on the topic many times. People often come up to me and relate their IP renumbering stories.

Recently someone told me this story. He's at a new job site. Previous to his arrival the site had just done a large renumbering job. They don't have a DHCP server. He commented, "It wasn't apparent to the others how a DHCP server could have helped."

This reminds me of the power of a good social network of technical friends. For example, local user groups. When you do something every day you get good at it and you don't need advice. It's the special projects that we should all remember to ask for advice. Renumbering is relatively rare, and yet the people that have done it many times (or even one time recently) have a lot of useful hindsight to offer.

I've seen quite a few sites that don't use DHCP, but most of them are military sites with strict network policies. However, of the non-military sites I've seen that didn't use DHCP made the following case: (1) we rarely install new machines, and when we do typing in the IP address isn't a big deal, or (2) people need to be able to SSH (or somehow contact) a machine, DHCP would just make it impossible for people to find the machine they need to contact.

First of all, count the number of times you've had a network outage in the last year due to someone configuring a machine and reversing the IP address and the default gateway. Oh, I'm sure you never did that by mistake, dear reader. This usually happens when you hand someone comes to you asking for an IP address for their machine. You write on a scrap of paper

IP 10.10.100.123

netmask: 255.255.255.0

gw: 10.10.10.1

and hand it to them. They walk away and suddenly the network goes down. The person reversed the IP address and the gateway, and you now have two machines using the same address (the new machine and the router) and everything has gone crazy.

With DHCP, you eliminate that kind of outage.

Oh yes, there are also all the stock reasons people use DHCP... easier deployment of new machines, ability to have "guests" plug in and go, easier renumbering, and so on. However, I find that DHCP's "dirty little secret" is that it prevents these human errors and that's more valuable than the management-friendly benefits like, "faster deployment". I mean, who wants to admit humans cause network outages?

DHCP permits "static assignments" and "pool assignments". Static assignment is where you configure the server so that if a particular Ethernet MAC address requests an address, it is always given a particular IP address. For example, at home my PC with Ethernet address 0:6:c1:5f:dc:ba is always assigned 10.10.10.62. An address pool is where you assign a range of IP addresses (say, 10.10.100 thru 10.10.199) and new machines are assigned a random address from the "pool" of addresses. (Good DHCP servers will always assign a host to the same address they got last time, assuming nobody else has been assigned that address currently).

When to use each? I believe in using static assignment as much as possible. If a machine is going to be "in the building" a lot (desktops, and laptops from people with offices in the building), I lock its ethernet's address to a particular IP address. That way it can be in DNS, so people can reach the machine and log files list the right host. It also means that if there is a shortage of IP addresses (more on that later) the people that are usually on this network won't be affected.

I like to use DHCP even for devices like printers and other IP-enabled appliances. Why? You might ask, "Why for a printer? Those things never change IP address!" DHCP also supplies netmask and other settings. The trouble that comes from a few devices lagging behind at the old netmask during a conversion can be frustrating. With DHCP, you change the netmask at the server and wait for such devices to be powercycled at will.

So when do I use a pool? I use a pool in two cases. First, for visitor machines: While I might have 100 statically assigned DHCP addresses for the permanent machines on my network (and laptops of people that officially work in this building), it is useful to assign a pool of a dozen or so addresses for visitors. This saves a lot of time since I don't have to set them up when they visit. They just plug in and go. (Yes, there are security implications to this, but without DHCP a determined person would be on a network within minutes anyway).

The other case is when when I have many machines chasing a smaller number of addresses. For example, if you have a modem pool with 12 modems but 1000 people might be dialing in. You only need to assign 12 addresses because you only have 12 physical modems. It wouldn't make sense to allocate 1,000 addresses when there is no way more than 12 could be used at any given time.

Ok, modems aren't a good example because nobody uses them anymore. However, let's say you have 1,000 people that could be visiting your office, only 20 or so might be there at any time. Hmm... that's another example of the first case.

Another kind of "guest" or temporary user is the new machine. As a system administrator it is very convenient when setting up a new machine for it to receive a temporary address. You can check the logs to see its Ethernet MAC address, and cut-and-paste it into the configuration so that at the next reboot it gets its permanently assigned static address.

I guess I should close this piece by reviewing some DHCP server software packages that I use:

The DHCP server built into Windows server -- Just kidding, it has tons of bugs and some extensions that really worry me. However, it is "free" if you already have Windows servers and it's better to have a mediocre DHCP server than none at all.

The DHCP built into Cisco PIX -- Often a DHCP-server-of-last-resort since it doesn't permit static assignements but, again, any port in a storm

Various other commercial products -- I don't have experience with other commercial DHCP products, but I encourage people to post comments with their recommendations.

We went through a renumbering/network rearchitecture just over a year ago as part of an organizational split (sound familiar, Tom?) and took advantage of that to also move from locally-configured static addressing to DHCP-configured static addressing. This meant that the desktop crew could convert machines to DHCP over time, then we could "throw the switch" over a weekend and have everything wind up on the new network.

Later, we found that one of the desktop subnets was getting full, while another was still fairly empty. We'd originally split them to keep traffic off a slow inter-building link, which had since been upgraded; this meant that we could easily merge them into one larger subnet. A quick set of DHCP and switch changes over a couple weekends, and the change was done with no pain, and few user-visible changes. (The most notable: people could see more iTunes libraries.)